Apparently, the problem lies in the fact that GNOME and possibly other Linux desktop environments, e.g. Mate, Xfce, etc… allow thumbnailers to use their framework without a sandboxing mechanism – which can potentially lead to malicious behavior if exploited by an attacker.

Ubuntu’s Scott Ritchie

The thumbnailer at hand is called “gnome-exe-thumbnailer” – a package available for Ubuntu, Debian and other Linux distros, is supposed to generate thumbnail previews for MSI (Microsoft Installer) files, like those you may normally have when running Windows programs on WINE.

The thing is, gnome-exe-thumbnailer can also execute scripts written in VBScripts (an scripting language developed by Microsoft).

The issue was first discovered by German developer Nils Dagsson Moskopp, who had suggested users to not use GNOME Files (from before GNOME 3.26), Cinnamon Nemo or MATE caja file managers, due to the potential risk they may carry.

Lately however, it seems the issue has managed to catch the attention of GNOME developer – Carlos Soriano (csoriano), who wasn’t very fond of Nils’ advice to users, and came up with his own solution: simply, “Uninstall gnome-exe-thumbnailer :)”.

Carlos has also offered to use a technology called bwrap which is used to sandbox flatpak apps in order to avoid random code execution by rouge thumbnailers. Carlos says work on that is almost done and should be merged and released soon.